LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   [Not Really] Doas Scriptablitiy (https://www.linuxquestions.org/questions/%2Absd-17/%5Bnot-really%5D-doas-scriptablitiy-4175655893/)

anon033 06-17-2019 11:24 AM

[Not Really] Doas Scriptablitiy
 
Hello everyone! I have a script that I am using to mount drives via dmenu, in this script a friend finally helped me to get it so I can enter sudo via dmenu; the issue is I want to use this script on my main machine which uses doas (it runs OpenBSD) I really prefer doas as it is better in my opinion. I am unsure how to be able to enter my password via dmenu for it though. Does anyone know how to do the same thing I do here, but with doas?

Code:

#!/bin/sh

# store all none mounted drives
drive=$(lsblk -lp | grep "part $" | awk '{print $1, "(" $4 ")"}')

if [ "$drive" = "" ]
then
        exit 0
fi

# ask which drive to mount
chosen=$(echo "$drive" | dmenu -i -p "Mount which drive?" | awk '{print $1}')

if [ "$chosen" = "" ]
then
        exit 0
fi

# store mount directories in dirs
dirs=$(find /mnt/ /media/ -type d -maxdepth 3 2>/dev/null)

if [ "$dirs" = "" ]
then
        exit 0
fi

mountpoint=$(echo "$dirs" | dmenu -i -p "Type in mount Point.")

if [ "$mountpoint" = "" ]
then
dmenu -i -p "$mountpoint does not exist"
fi

# enter password via dmenu
password=$(echo -n | dmenu -i -p "Enter password:")

# mount drive to mountpoint
echo $password | sudo mount $chosen $mountpoint && notify-send "$chosen mounted to $mountpoint."

I know storing the password in a variable is bad, this is a work in progress and I am looking into how to clear/remove these variables once the script is finished.

Marked as solved, I mean it isn't yet; but people are getting kinda heated so I'll close it...

Turbocapitalist 06-17-2019 11:41 AM

I would try a different way, if you are using sudo. If you are careful, you can specify a pattern in your /etc/sudoers file and then precede it with NOPASSWD.

anon033 06-17-2019 11:52 AM

Quote:

Originally Posted by Turbocapitalist (Post 6006365)
I would try a different way, if you are using sudo. If you are careful, you can specify a pattern in your /etc/sudoers file and then precede it with NOPASSWD.

I myself prefer to enter it, but I would love to use doas instead as it seems like a more simple way of doing what sudo does in my opinion.

Turbocapitalist 06-17-2019 11:58 AM

doas can only take strings not patters, so you'd have to ennumerate the options. That can be a problem if there are many.

With sudo you can try a pattern:

Code:

%foss ALL=(root:root) /bin/mount /dev/sd[a-f][0-9] /mnt[0-9]

MensaWater 06-17-2019 12:09 PM

Funny - I just read up on "doas" as I wasn't familiar with it. The primary reason one writer gives is because it is "runas on steroids" and implies that sudo can't do runas. In point of fact sudo allows runas_alias definitions in its sudoers file so does in fact allow for runas. I've used them here for years.

There isn't anything I've tried to accomplish with sudo that I wasn't able to do. I've used sudo on HP-UX, Solaris and Linux and *BSD and never saw any need for a replacement.

From my brief read it appears you can do a lot with doas as well.

Saying doas is superior (or sudo is superior) is purely subjective.

Such opinions, much like everything else in computing, are often based on how the person giving the opinion originally learned to do things. Years ago all AIX admins claimed it was the best UNIX variant but invariably it was the first (or only) one they'd used. The rest of us who learned other variants (AT&T, SCO, HP-UX, Solaris) first all hated AIX. Me, I liked AT&T then loved SCO and later HP-UX. When I ran across Solaris I disliked it but not quite as much as when I'd first run across AIX. Of course these days I use mostly Linux but the arguments about which distro is best seem to follow the same pattern.

jggimi 06-17-2019 12:43 PM

The doas(1) utility is certainly simpler than sudo(1). That simplicity can be an aid to security. But it can also limit certain activities. As an example, the doas.conf(5) permit|deny rule can be provisioned with command arguments, but the arguments must match exactly, there is no wildcard globbing, there are no regular expressions.

When I script with doas(), I either accept that I will need to authenticate, or I have rules that permit a specific command (and optional, complete argument string) to be used with the nopass option.

anon033 06-17-2019 01:09 PM

Quote:

Originally Posted by jggimi (Post 6006385)
The doas(1) utility is certainly simpler than sudo(1). That simplicity can be an aid to security. But it can also limit certain activities. As an example, the doas.conf(5) permit|deny rule can be provisioned with command arguments, but the arguments must match exactly, there is no wildcard globbing, there are no regular expressions.

When I script with doas(), I either accept that I will need to authenticate, or I have rules that permit a specific command (and optional, complete argument string) to be used with the nopass option.

That is unfortunate... I guess I could add a patch to doas to be able to pipe into it in the same way... For now I'll have to opt for sudo. I am not a big fan of adding a permanent option to allow any commands that need super to run without a password :/

jggimi 06-17-2019 01:27 PM

You might experiment with one of the alternative authentication methods offered by $ doas -a <style>.

MensaWater 06-17-2019 02:10 PM

Quote:

Originally Posted by jggimi (Post 6006385)
simpler

Finding an OPINION written in a man page or on a project site does not convert it into a FACT. Use of comparatives like "simpler" (or superlatives like "best) in a discussion are usually good indicators you're reading an OPINION.

One can indeed restrict sudoers to allow commands to only run with given arguments. I've done it multiple times. One can also use meta-characters such as * to allow more arguments. As I noted before I've done a fair amount of sudoers definitions and have yet to find a task for which it couldn't be configured.

Someone who hasn't delved into sudo can't really give much detail about its capabilities much as I can't really give any detail about the capabilities of doas. If someone wants to use doas that is certainly their prerogative but spewing FUD about alternatives doesn't prove anything one way or the other. Notice that at no point did I say anything bad about "doas" - I simply indicated my preference for "sudo" and countered arguments about what it supposedly can't do.

jggimi 06-17-2019 02:34 PM

Here's some actual fact.
Code:

$ man doas.conf | wc
      96    497    4490
$ man sudo.conf | wc
    434    2489  21139

But I'm not here to argue. Just to point out that sudo(1) might be a better fit for use-cases such as this one.

cynwulf 06-17-2019 05:45 PM

Quote:

Originally Posted by MensaWater (Post 6006441)
Finding an OPINION written in a man page or on a project site does not convert it into a FACT. Use of comparatives like "simpler" (or superlatives like "best) in a discussion are usually good indicators you're reading an OPINION.

The use of the word "simpler" in the case of doas(1) is not an opinion, it's just stating a fact. It's a simpler programme. The term is not used in man pages for doas(1) and doas.conf(5) nor the relevant FAQ.
Quote:

Originally Posted by MensaWater (Post 6006441)
spewing FUD about alternatives doesn't prove anything one way or the other.

No one was "spewing FUD", you've clearly gotten the wrong end of the stick...

MensaWater 06-18-2019 08:08 AM

Your OPINION that the OPINION stated is correct does not make it a FACT.

jggimi 06-18-2019 08:27 AM

Wow. And all I did was recommend the utility YOU PREFER.

Jeebus.

anon033 06-18-2019 10:40 AM

Quote:

Originally Posted by jggimi (Post 6006747)
Wow. And all I did was recommend the utility YOU PREFER.

Jeebus.

I wouldn't asked this question had I known this thread would have gotten this out of hand....

cynwulf 06-18-2019 10:48 AM

Quote:

Originally Posted by MensaWater (Post 6006735)
Your OPINION that the OPINION stated is correct does not make it a FACT.

https://cvsweb.openbsd.org/src/usr.bin/doas/

https://www.sudo.ws/repos/sudo/file/1.8/src

doas(1) is simpler code and a simpler programme. It doesn't have all of the features and functionality of sudo(8).

You can return to argue with upper case but it won't change much. It's a fact, proven by simply looking at the code and man pages.

As you're not an OpenBSD user and clearly don't understand why doas(1) replaced sudo(8) in the base system, I suspect that all of this is the product of some unfortunate misunderstanding on your part.

https://flak.tedunangst.com/post/doas

Quote:

Writing a small simple replacement meant that we could ship something in base which was totally unsuitable for the power sysadmin group. It could only work for me, and I would be happy. Meanwhile, those who truly needed all the flexibility of sudo would install it from ports, and they would be happy.
Be aware that sudo(8) is also maintained and developed by Todd C. Miller an OpenBSD developer.

Quote:

Originally Posted by FOSSilized_Daemon (Post 6006791)
I wouldn't asked this question had I known this thread would have gotten this out of hand....

You have done nothing wrong in asking this question.


All times are GMT -5. The time now is 04:35 AM.